Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: incompatibility with Trust Settings in CA certificate #31881

Open
kruftik opened this issue May 7, 2019 · 1 comment

Comments

@kruftik
Copy link

commented May 7, 2019

What version of Go are you using (go version)?

$ go version
go version go1.12.4 linux/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

golang:latest @ docker

go env Output
$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/root/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build114266566=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Standard crypto/tls library is incompatible with CA certificates (either root or intermediate one) when they contain Trust Settings (https://www.openssl.org/docs/manmaster/man1/x509.html#TRUST_SETTINGS):

$ openssl -in rootCA.crt -text -noout
...
No Trusted Uses.
No Rejected Uses.
Alias: XXX
...

Since widely used MS AD-based CAs DO have such Settings in their certs, it is hard to use encrypted connections in golang programms in such environments.

What did you expect to see?

The successfull TLS-handshake.

What did you see instead?

In our case server's cert is issued by intermediate CA which is issued by root CA and server.crt contains server's cert followed by the intermediate CA's one.

In the case when the Trust Settings are present in the intermediate's cert, tls-negotiation fails with the following errors:
client.go:40: tls: failed to parse certificate from server: asn1: syntax error: trailing data
server.go:55: remote error: tls: bad certificate

If only the root's cert contains the Settings, the errors are slightly different:
client.go:40: x509: certificate signed by unknown authority
server.go:55: remote error: tls: bad certificate

(Example client&server apps are available at https://github.com/kruftik/go-tls-vs-windows-ad-ca, build.sh prepares binaries)

Once the Settings are being stripped from both root and intermedia CA certs with the openssl x509 -in rootCA.crt -out rootCA.clean.crt command, the problem is going away.

@andybons

This comment has been minimized.

Copy link
Member

commented May 8, 2019

@andybons andybons added this to the Unplanned milestone May 8, 2019

@dmitshur dmitshur changed the title crypt/tls: incompatibility with Trust Settings in CA certificate crypto/tls: incompatibility with Trust Settings in CA certificate Jul 19, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.